I spoke with a CapitalOne employee after this hack who was involved in "cleaning up" the security. He wasn't allowed to discuss specifics, but he did share some fun facts:
The hacker was very smart
The hacker chained together "about 6 or 7" different exploits to get to the data. Note, this means it is much harder than "leaving an S3 bucket public"
The hacker tried to sell the data, but couldn't find a buyer before being found out
That is crazy to me. `hacker chained together "about 6 or 7" different exploits to get to the data` <- but somehow the hacker couldn't use $5 per month vpn?
The hacker did use a VPN, but they also posted snippets of the stolen data online, possibly to brag or find potential buyers, that eventually led to their real identity.
VPN isn't cruise control to anonymity. Being based in a country without an extradition treaty to the US probably offers much better protection e.g. Russia, China.
The hacker was very smart
The hacker chained together "about 6 or 7" different exploits to get to the data. Note, this means it is much harder than "leaving an S3 bucket public"
The hacker tried to sell the data, but couldn't find a buyer before being found out